From: a |: OAKLEY HEALTH GROUP) [iia 


Sent: 30 October 2019 15:34 

To: casework 

Subject: Your Tweets re Major vs Darren, Jackson & Ors (2019) 

Attachments: ICOtweet.pdf; Mills & Reeve Case commentary anon (Major v Dr Jackson.pdf 
Dear ICO, 


We are writing to you to express our concern at a number of recent messages that 
you have put out on Twitter, as attached, regarding the recent court case Major vs 
Darren, Jackson & Ors (2019), also attached. 


“A court decision concerning the release of patient records has been the subject of 
online discussion in recent days. Despite reports, the case didn't involve the issue of 
Subject Access Requests (SARs) but rather the release of patient records by order of 
the courts.” 


Firstly, this case was very much about the issue of SARs, albeit in relation to SARs 
made by patients for the purposes of civil litigation (personal injury/clinical 
negligence etc). However, such SARs form the overwhelming bulk of requests 
received by GP surgeries. 


Secondly, the case was not in relation to the release of patient records by order of 
the courts, rather it concerned an application for disclosure for documents, under CPR 
31.17, on the allegation that the SAR made by the patient had not been upheld (i.e. 
that disclosure of the requested information, in line with Article 15, had not been 
made) and that the surgery had not followed the requisite pre-action protocol 
expected by the courts. 


No court order had been made prior to the court case, and, as it turns out, no court 
order was subsequently made. 


The data subject - the GP surgery’s patient - made a SAR with the assistance of her 
solicitors. That SAR was duly received, assessed, processed, and made available (that 
is, supplied or provided) to the patient. Her right of access was fully upheld. Since 
the patient lived locally (as almost all patients of a GP surgery do), and that patient 
regularly attended the GP surgery premises, and was perfectly physically capable of 
doing so, the record was made available for her to collect at her convenience. 


The data subject refused to do so, even attending the surgery on numerous occasions 
without collecting the SAR, but provided no explanation as to why she refused to do 
so, other than we know that she, in common with other patients, had been explicitly 
told by her solicitors not to collect her own GP records. At no time did the data 
subject ask for her SAR to be posted to her, or to be emailed to her, or to be hand- 
delivered to her, or for her record to be accessible via a secure online platform. 


It was her solicitors — the third party assisting her in the SAR - that demanded the 
SAR be sent directly to them, bypassing the data subject completely. And the order 
for disclosure did not seek that the requested documents be disclosed to the patient, 
rather her solicitors wanted the court to order the surgery to send the SAR directly to 
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them. The judge, as the verdict shows, was having none of this and promptly 
dismissed the application. 


To be clear, the case was not about the data subject insisting that the GP surgery 
post her the SAR (instead of her collecting it) but was about her solicitors asserting 
that the GP surgery was compelled by law to disclose the SAR directly to them (a 
third party). 


There is no obligation for GP surgeries to send SAR responses, to the data subject, by 
post. Article 15 makes no such requirement. The obligation is to “provide a copy” (or 
“supply” as the ICO’s own subject access code of practice guidance 2017 makes 
clear). 


The judge in that case did not comment on the assertion, by the claimant’s solicitors, 
that the GP surgery had not upheld Article 15 as a result of her abject refusal to 
collect the SAR as provided/supplied. The judge did however, make clear that “the 
supply of that information (by copy documents available at the practice) is freely 
given by the Respondents to the Claimant” and that “it would have been a simple 
matter for her to acquire the notes on any one of those occasions”. 


We note the comments made by Mills & Reeve : “The issue as to whether, in making 
the documents available at reception for a patient to collect (as is customary for a GP 
surgery) the Practice had fulfilled its obligations under GDPR, was not explored by the 
court. It may be subject to future challenge, either in the courts or before the 
Information Commissioner.” 


We believe that where it is entirely reasonable to 


e provide the SAR by means of collection, or 

e where the SAR is posted to the patient, or 

e where the SAR is emailed to the patient, or 

e where the SAR is hand-delivered to the patient, or 

e where a SAR is made available by means of a secure online platform 


then a refusal by the data subject to collect the SAR, or sign for a posted SAR, or 
open the emailed SAR, or sign for the hand-delivered SAR, or register for and access 
a SAR provided by means of a secure online platform, neither: 


e represents a failure to uphold Article 15 and the right of access, nor 
e represents a failure to comply with any pre-action protocol or civil procedure 
rule as expected by the courts 


Equally, a refusal to disclose the SAR directly to the third party, so bypassing the 
data subject completely, neither: 


e represents a failure to uphold Article 15 and the data subject’s right of access, 
nor 
e represents a failure to comply with any pre-action protocol or civil procedure 
rule as expected by the courts 
and that Major vs Darren, Jackson & Ors (2019) supports all of this. 


“As such, the legal position regarding GP practices responding to SARs remains 
unchanged and surgeries should follow ICO guidance and advice from the BMA on 
how to comply with the law.” 


GP surgeries are in a somewhat unique position as data controllers, and we have a 
unique relationship with our patients. Almost all our patients live within a few miles of 
the surgery (or one of our surgeries, if more than one site) and regularly attend our 
premises for medical care, as well as to collect forms, prescriptions, certificates etc. 
Even patients who live outside of our normal practice boundary as part of the NHS 
“out of area” scheme attend the surgery for medical care. 


GP surgeries are, therefore, in a unique position to provide the contents of a SAR 
securely, responsibly, reasonably, and proportionately, and in doing so fully uphold 
the data subject’s right to be provided with a copy of their personal data. 


Holding the SAR safely at the surgery until our patient can collect it is entirely 
reasonable and the most secure way of supplying (or “providing”) the record to the 
data subject. In doing so, we have implemented appropriate organisational and 
technical measures to ensure that: 


e the information contained within the medical records remains confidential 

e is accessed only by the individual to whom the data belongs 

e there is no accidental loss, destruction, or damage of the record in transit 

e the medical record is processed in a manner that ensures appropriate security and 
integrity of the personal confidential data requested 

e we uphold Article 5(1)(f) of the GDPR 


Where collection is genuinely not possible (e.g. a patient in a nursing home), the GP 
surgery would always provide the SAR in a different way. 


And where it was necessary to post the record to the data subject, we would. 


Patients who make SARs, either directly or with the assistance of (or “via”, as the 
ICO refers to) a third party (such as solicitors, medical records agencies working for 
solicitors, or the Criminal Injuries Compensation Authority), are almost always happy 
either to collect their SAR themselves or to authorise a spouse/partner/relative to do 
this for them They absolutely do not demand that we post them their SAR. But they 
are, seemingly, told not to collect the SAR - to refuse to do so - by certain solicitors. 
Many are quite upset are being told that they are “not allowed” to collect their own 
GP records, from their own GP surgery, on an assumption that they could “tamper” 
with, or falsify, their records. 


Thankfully almost all patients disregard such fatuous instructions from their solicitor, 
collect their records, and read through their own personal confidential information. 
And as a result, many are profoundly grateful for the opportunity to know exactly 
what was in their GP record before their solicitor received any such information. 


We make clear to our patients: 
Disclosing your SAR directly to a third party would neither: 


e be providing you, the data subject, with a copy of your personal data 
e be allowing you, the data subject, access to your personal data 
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e be allowing you, the data subject, to find out: 
o What personal data we hold about you 
o how we use your personal data 
o who we share your personal data 
o who has access to your personal data 
o where we obtained your personal data from 
which would be a contravention, by us, of Article 15 of the GDPR. 


We also point out to the patient that were we to disclose their SAR directly to a third 
party: 


e that we could be disclosing excessive information - the records requested may go 
far beyond that necessary for the intended purpose 

e that you would not in a position to be aware of, and verify, the lawfulness and 
nature of the processing of your personal data, in line with Recital 63 of the GDPR 

e that you would not be in a position to determine the accuracy of your GP medical 
record and, if so needed, exercise your right to rectification 

e that you would not be in a position to exercise your right to object to aspects of 
processing of your personal data 

e that you would not be in a position to determine whether the processing of your 
personal data was infringing the GDPR and so exercise your right to lodge a 
complaint with a supervisory authority 

e that you would not be in a position to determine whether there was personal 
confidential information that you did not wish to share with a third party 

e that sections 184 and 185 of the DPA 2018 afford you important protections and 
safeguards (against “enforced access”) for your confidential medical information 
which would be bypassed, to your detriment, were we to disclose your SAR 
directly to a third party 

e that, if you are a claimant in a legal matter, you would be unaware of the 
information that might be, or would have to be, disclosed by your solicitor (i.e. 
“served”) to the defendant’s legal representative 

e that you will not be in control of your own medical information 

We are mindful of the following case (related to DPA 1998): 


Johnson v The Medical Defence Union Ltd (1) [2004] EWHC 2509 (Ch) (09 November 
2004) 


19 The data subject's ability to make use of the safeguards given to him by ss 10 to 
14 are dependent upon him knowing what personal data relating to him is controlled, 
and how it has been and will be processed or used, by the data controller. However, 
in the majority of cases the data subject will have little or no knowledge of these 
matters. He may not even know whether any personal data are held by the data 
controller. To overcome this, the DPA provides individuals with a mechanism by 
which they can find out what data, if any, are held by data controllers and, where 
such data are held, to what use they have been or will be put. 


(for ss 10 -14 we would now refer to s96 - 100 of DPA 2018. The "mechanism" is, of 
course, the right of access, Article 15). 


The BMA guidance on responding to SARs carries no legal or contractual weight with 
GP surgeries. It is their opinion only, and many surgeries do not agree with their 
view. 


Some solicitors also take the view that the use of SARs to obtain documents for civil 
litigation purposes is the wrong approach and could well be, as many GPs believe, an 
enforced SAR: 

https ://www.dacbeachcroft.com/en/gb/articles/2018/june/forms-of-authorit 


records-post-gdpr/ 


-for-medical- 


“Data controllers are responsible for providing a SAR response to the individual or 
their appointed representative. A person should not have to take action to receive the 
information, such as by collecting it from the controller’s premises, unless they agree 
to do so.” 


We are mandated to provide the data subject with their SAR. We are not mandated 
to transfer, or disclose, personal confidential medication information to a third party 
as a result of a data subject’s access request. There are no provisions in Article 15 of 
the GDPR to compel us to process data in that way. 


There are no provisions in Article 15 of GDPR, and no requirement under data 
protection law - not a single word - whereby: 


e a DSAR is lawfully fulfilled by bypassing the data subject and disclosing (i.e. 
processing) their personal confidential information to a third party 

e athird party “becomes” a data subject, or “inherits” data subject rights, or data 
subject rights are “transferred” to that third party, by virtue of assisting the 
individual in making their DSAR 


Our legal obligation as data controllers is to uphold the data subject’s right of access. 
It is not to uphold a firm of solicitor’s right of access - because they have no right of 
access. 


A solicitor assisting a data subject in making their SAR does not become the data 
subject - because neither do we hold personal data about that solicitor nor is that 
solicitor seeking their own personal data from us. 


A firm of solicitors cannot be, or “become”, the data subject because a data subject 
must be a “natural” person or individual who is the subject of personal data; that is, 
an “identified or identifiable living individual to whom personal data relates” (Data 
Protection Act 2018, Part 1 3(5)). 


The processing of a SAR, and its disclosure to the data subject, is on the lawful basis 
of legal obligation (Article 61c). But that obligation is to the data subject, no-one 
else. 


As such, we are not responsible for providing a SAR to an appointed representative. 


It is our responsibility to provide the SAR to the data subject. 


It is the data subject’s responsibility to provide it, in part or whole as they wish, to 
their appointed representative should they wish to further their legal claim. 


We assess all SARs on an individual basis, and we do disclose SARs to third parties in 
certain circumstances, including where otherwise no disclosure would, or could, take 
place (a data subject in prison, for example). 


Out with a SAR, we disclose relevant medical information directly to a third party, 
such as an attorney holding an LPA for Health & Welfare, where the data subject has 
lost the requisite capacity to receive their information. 


Our patients do not disagree to collect the SAR from their GP surgery. They 
absolutely agree, as is evident by the 99.9% of patients who readily come and collect 
the SAR as soon as it is ready. 


Nevertheless, we do recognise that the approach taken by many GP surgeries in 
providing the SAR in this way is not applicable to many, or perhaps any, other 
organisations. There clearly cannot be a situation where an organisation in Liverpool 
provides SARs for collection to data subjects living in Cornwall. 


Nor do we believe that the court case set a precedent for doing so, as the freely 
given disclosure of documents by the GP surgery in that case was held to be entirely 
reasonable because the data subject lived locally and because she regularly attended 
the GP surgery for her medical care. 


GP surgeries fully uphold their patient’s right of access. We almost never assess a 
SAR for a patient’s GP record as either excessive or unfounded. We have championed 
the right of access and transparency. Many surgeries have been offering secure 
online access to the electronic GP record for many years. Some have given the 
patient their written GP record to read in the waiting room whilst waiting to be called 
in by their doctor. 


We fully recognise the right of patients to make SARs assisted by, or via, third 
parties for the purposes of civil litigation (or for any other purpose, given that SARs 
are purpose-blind), and whilst we many of us have concerns about “enforced SARs”, 
we understand that solicitors will require sight of medical records to progress any 
such claim. If requested under a SAR, then those records must come from the data 
subject if we, as data controllers, are to lawfully uphold our patients’ right of access. 


It is neither our responsibility, nor our legal obligation, to bypass the data subject 
and provide the third party with the GP record directly. 


Yours sincerely, 


Wimbledon Village Surgery 
a Nuneaton 


Ealing CCG 


Cardiff 
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The Village Medical Centre 
The Portmill Surgery 


Pees Shap Medical Practice 


Vine House Health Centre 
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Dinas Lane Medical Centre 

New Longton Surgery 
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The Corner Surgery, Southport 
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Forum Family Practice 
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Carden Medical Practice, Aberdeen 
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Health Care First Partnership, Wakefield 

Chester Orthopaedic Surgery 

Wey Family Practice, Surrey 

Killynether Practice Newtownards, Northern Ireland 

Issa Medical Group, Preston 

St Wulfstan Surgery, Southam, Warwickshire 
Ulverston, Cumbria 

Bury Road Surgery 


Rn slcadiess Medical Centre, Sheffield 
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PN Staithe Surgery, Stalham 
EE E Wood Medical, Belfast 
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The Marshside Surgery, Southport & The Family 


Surgery Southport. 


Ripon Spa Surgery, Ripon North Yorkshire 


Eynsham Medical Group, 
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©9522" Surgery, Thanet 
8 


O Ormeau Health Centre, Belfast 


The Green House Surgery, Redcar 


Eee GP & CG Dingle Park Practice, Liverpool, 
Rowantree Practice, Belfast 


Mike Oak Medical Centre 


ee Courtside Surgery, Bristol 
Abbots Bromley Surgery, Staffordshire 
Aintree Park Group Practice, 
Liverpool 
I v- Dover R020 Surgery, Canterbury 
Waterfoit Medical Practice, Waterfoot, Rossendale 
o cherry citcy Group Practice, Belfast 


